PT-2020-14394 · None+4 · Ajv+4

Published

2020-07-15

Updated

2024-06-21

CVE-2020-15366

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Ajv versions 6.12.2

Description An issue was discovered in ajv.validate() that allows execution of other code by prototype pollution when a carefully crafted JSON schema is provided. The worst-case scenario for an untrusted schema should be a denial of service, not code execution.

Recommendations For version 6.12.2, consider disabling the ajv.validate() function until a patch is available to prevent potential code execution via prototype pollution.

Exploit

Fix

DoS

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1321CWE-915

Related Identifiers

ALSA-2020:5499

ALSA-2021:0548

ALSA-2021:0551

CESA-2020_5499

CESA-2021_0548

CESA-2021_0551

CVE-2020-15366

GHSA-V88G-CGMW-V5XW

OESA-2022-1620

RHSA-2020:5305

RHSA-2020:5499

RHSA-2020_5499

RHSA-2021:0421

RHSA-2021:0521

RHSA-2021:0548

RHSA-2021:0551

RHSA-2021:0781

RHSA-2021_0548

RHSA-2021_0551

RLSA-2020:5499

RLSA-2021:0548

RLSA-2021:0551

Affected Products

Almalinux

Centos

Red Hat

Rocky Linux

Ajv

PT-2020-14394 · None+4 · Ajv+4

CVE-2020-15366

Weakness Enumeration

Related Identifiers

Affected Products

References · 67